BSidesNoVA 2021 | Panel: SOC Life

good morning everyone uh this is the panel on the sock life and here today i am gonna start by having the panelists introduce themselves all right my name is uh jeremiah osbourne everyone just calls me oz i am currently uh the director of security operations at capital one hi i'm brad schonhorst happy to be here today i'm currently working at att managing stock as a service before that i was at sony and then worked with worked at the pentagon before that awesome steve you want to introduce yourself yeah hey everybody steve helping um director of soccer operations and intelligence for redacted um it's not that hard to find but i'm not going to officially say it here

since uh legal is not on my team today but uh yeah so a do nothing manager uh one of those guys awesome all right let's get started with the conversation and one of my first questions uh to the panel here and whoever wants to start first go ahead um i want to stop by having you guys tell us a little bit about your journey and how you got to where you are and what really drove you to drew you to your jobs sure i guess i'll start real quick so um um i'd say in high school i wasn't i was really intelligent but i didn't do my homework so um i ended up uh you know joining the

military because one of my buddies like hey if uh you help me like i get a promotion i was like cool that sounds awesome so i joined the military uh i joined the reserves and um and i was really blessed throughout my military career 12 years of reserves to end up getting in a lot of really awesome reserve units i know that's kind of like a like a lot of people say oh the reserve sucks like not my experience um and you know they they gave me a clearance they trained me um from there i became a contractor with uh northrop grumman and got into i guess information assurance information security before where i did incident response for the

army's computer emergency response team acert or now what we call them as first i command um met a lot of awesome people there got to really understand how to do incident response um you know 2003 the army had 80 intrusions 2004 480 which i got i was responsible for handling 400 of those so it was like trial by fire you're you have to do this uh and it was really awesome um i mean like nowadays when people are googling whatever uh malware that they're potentially looking at they have hundreds of thousands if not millions of results and like 2004 it's zero results i was like ms mslogon.dll like huh look at that nothing yeah like even like brad looks

and he smiles like he knows exactly what that is right uh he knows probably what intrusion stuff that is um i g then i got deployed uh you know got to do a lot of cool i.t stuff uh for war which was cool and then i came back at uh jtfgno that's the joint task force global network operations before they've kind of like bastardized it with a cyber command now met a lot of amazing people there um got to meet with a lot of uh fantastic people people who helped you know show me like threat intelligence is is also equally as important as a response because i'm just a responder like by trait um went to uh raytheon to go lead their uh

their cert that was a really cool experience after that i went to the department of energy for a couple years oh wow which was awesome i got to go to like sandia national labs in los alamos and lawrence livermore um some other places like in amarillo texas were storing nuclear weapons and i was like man talking like some of the smartest people you know in the world um and uh that was a lot of fun and then i realized that being a contractor it was cool from an individual contributor perspective um but it like i was being ignored when it came time to make a decision so i said well i want to be a government

uh civilian so i joined the defense intelligence agency as their branch chief the dc and dc that is the uh the dia's computer network defense center where i got to meet you know one of his former bosses kevin cross um a lot of awesome people there like cyber jesus everyone knows james elliot really tall guy really smart he's always going to apologize uh probably one of the most polite um and then i went to the white house after spending three years there did four years at the white house got to meet a lot of really cool people there apple to one after their breach and uh you know that's kind of my story so i'll

pass it to brad thanks so i i came at it a little bit differently um i started out and i uh back in the i guess late 90s in college i started working at a really small startup internet company internet service provider say small there's like seven of us total and um so we did it we got everything it was great you know installing dsl lines and running a dial up modem pool um setting up servers and and you know managing the customers and everything um but i got my first exposure to you know to security we had a few people on the network customers right who are maybe not paying um doing some hacking activities and um

much to my surprise you know we decided to just kind of let them be um they were they're actually patching a lot of our systems so other people wouldn't get in so we had this weird relationship with some of these guys where we would let them kind of operate as long as they didn't uh do anything that you know get us in trouble but um from there i moved on and managed to manage the uh the computer network at a private school in manhattan and that's when i really got into security i i realized like you know all these kids there's some really famous kids there famous parents i guess and um you know i

realized like man if somebody gets in this network like it's it's not going to be good for the school so i started uh diving into network security and um i started following this this blog by a guy named richard baitlich who you probably heard of and um he was talking about getting into cyber security and mentioned some of the scholarship programs through the dod and so i kind of went that route and got into um a dod program at nyu poly and that's kind of how i got into cyber security then um went to a schmuck on back then in 2000 i don't know what it was um maybe yeah years ago second one or something like

that and um and then i was kind of hooked and so um i ended up at disa which is the used to be kind of like the isp for a dod um and from there i did all kinds of stuff but i was always kind of passionate about cyber operations that's really where i wanted to be and so i met um i met john simone at a conference uh a government conference he was running he was the director of security at secretary of defense communications and um we worked out a deal where we got disa to put me on loan to his team for a year and i went over there and set up some network security systems

and um and really got some exposure to instant response and and the cyber you know threat intel communities met oz there finished up over there my my rotation did another year with this and then came back to sec defcoms as a contractor and and led a team that did a small team that did um you know security monitoring and incident response for the secretary and it was very interesting um place to be you know because the you know he's traveling all over the world um so we're trying to monitor and make sure his communications are secure when he's at a hotel in china or you know some other you know hostile network um so we saw some pretty interesting

stuff there um then moved on to sony so i spent the last six years at sony i kind of built out their um their their stock analysis and response team so when i went over there we had a team of about seven and the mission was to uh monitor sony globally you know 200 plus companies um 24 hours a day seven days a week um for any kind of hacking activity right or any anything that's bringing risk to the network um so that that was a great experience i got a chance to really build a team from scratch um you know ended up with a sizable team as a you know 30 plus people had six line managers um we ended up

with a team in singapore that did an outstanding job um and that way we didn't have to have people working at night um so we tapped into the talent pool there so that was really um that was really good and then recently i moved to at t um my team does sock as a service for for different uh programs that att is working on with different customers so that's kind of how how i got here hey thanks brad all right and our third panelist steve want to tell us a little bit about how you got into what you do today yeah so kind of like brad i kind of had a roundabout journey into uh into where i sit today so i also

came out of school end of the end of 90s and got the the first glorious job of doing y2k compliance programming in cobalt so that was that was super exciting stuff i did that for almost a whole year before i wanted to gouge my own eyes out and jumped over to uh to cisco where i started uh working on um software engineering for telephony soft switch so i spent about seven years there doing mostly software engineering uh some build packaging work um and can had an opportunity you know middle of the early 2000s to be the first technical uh employee at a startup it was a small telecommunications startup serving smb market so came in there as the only only real

technical person and essentially over the next 12 years started out with a couple of servers in the back of a leaky data center in the corner of somebody else's office and built that out into a 24 7 365 multi-data center now support organization for uh i can't remember what the ex potential growth was but i think we did something like 125 000 minutes of production business our first month and then by the last month we were doing 60 million something like that so a fairly decent growth curve there but in the in the process of that 12 years went from starting at network engineering and system support and back ends and builds and and solution support to uh

getting more mature and building out redundancies and i think it was my first defcon somewhere around 2009 uh my brother was doing cyber ops work for another group and dragged me in and i was hooked so we took took one weekend there and figured out this is this is what i want to do um so i spent the next probably five years at my startup trying to transition from running the network and systems teams to building a security program uh which was essentially non-existent i can't imagine how much data we lost at the time of quite i don't know uh it would be painful to to understand that now but try to spend the next however many

years there transitioning out of doing networking and systems to just building a security program and finally got to the point where i couldn't get any more uh support in what i was doing there and jump ship so where i went from there was to a msp based in northern virginia doing mostly government contracting and support for different cyber initiatives with federal contracts but they were in the process of building out a commercial sock so i spent the next couple years leading the engineering group there and working closely with the analysts and operations teams to stand that stock up uh which was a really awesome uh learning a place for me to really pick up a lot of

how the tools are supposed to work how everything integrates dealing with all the you know road bumps or hiccups of of any of those build capabilities uh and got fairly situated there uh when i ended up getting an opportunity to land where i am today uh so running the absent intel program for uh of a manufacturing global manufacturing company um it's a it's a much larger footprint so i've sort of gone from the big company to the small company to the big company different pieces of cyber from you know just scratching the surface and getting involved with my my own initiatives to doing almost exclusively engineering to now running operations groups um i have a pretty

far-ranging organization underneath me where i am today i do operations sock ops and instance response threat intel threat hunt e-discovery security engineering so it's it's interesting how little bits and pieces of all the the stops along the way have all kind of culminated now with all the people who have to listen to me flap my gums repeatedly and tell them what to do even though i couldn't really sit in many of their seats and do all that work but um certainly a roundabout path to get there so every day is a new interesting opportunity including this morning which i'm hopeful that things are going to handle themselves without my having to break away to attend to stuff but you

never know so very happy to be here awesome great thanks uh steve um on to more of you know how you guys are managing your teams and socks so my question to you is what's at the core of a successful sock culture what does that look like brother when i go first yeah i think um i kind of learned a lot of this the hard way but i think uh anyone who's worked for me knows i'm a real um i really love documentation so i think you know really breaking down all the processes into into short um you know consumable documents and having that readily available with the backup and and really making sure everyone

understands you know what to do because you know one of the things i love about incident response is also um one of the downsides is the adrenaline right so you know in the moment you know you really just need these procedures laid out you need to have run through them several times and you need to have you know all your contacts and figure out exactly who you need to get a hold of like how do you get a hold of legal if you need to engage them or how do you talk to corporate branding team or you know the sysadmins who sit on the other side of the world like you're going to have to wake them up

so having all that thought about and planned ahead of time really makes for like a well-oiled machine and eventually you know the goal is everybody understands their role you've thought through the scenarios and then as the manager or leader you're not having to get up every time in the middle of the night when something happens you know if you can get people in place that that understand what to do and can handle the situation then you know it just makes things run a lot smoother um you know because the last thing you need you know during a major incident is like trying to scratch your head and figure out what to do you know so preparation and documentation i think

help a lot um yeah i mean i yeah preparation documentation are are very important i mean i i like i like doing tabletop exercises uh which you lead a lot of those at capital one um it you know like we recently did one on ransomware so uh fortunately is there any what's not going around here not how to deal with that yet um but um but you know it it ends up giving you confidence in not only the process but the people and the technology that you have in place um and and giving some of our uh our more junior um personnel that opportunity to be in that position so like when they're on an incident call

and as brad mentioned like we have hr we've got our legal we've got branding on we have you know our ciso we have our cio we have all of these um you know business units and representatives who all want to ask a hundred questions at one time you know uh at rapid fire because it's really important um giving them that opportunity to kind of build and grow and and so that they understand when the fire fight happens that this is what it's going to feel like and typically like like brad said it is an adrenaline rush you know like as a responder you you don't want to get you know owned but you like the way it

feels when you're in like the middle of a firefight yeah you know not really like it is it is very exciting it is it is exciting um but yeah i mean like having having well thought out purpose um following those testing those procedures um you know with tabletop exercises or with a really robust red team who's you know uh constantly um you know getting onto our network and and pivoting and moving and doing uh using different tools it makes this the analyst more sensitive to like hey wow like what's going on over here and start asking questions and start digging into that and figuring out like hey like this is looks really strange like so

it's uh you know the preparation the exercises those are really important right keeping leadership but also giving the analysts the confidence that they can do it and when things happen you already know what

um steve uh you want to give us your take on what it takes to build a successful suck culture yeah uh i mean uh tabletops are huge for us too it's definitely one of those things and you know particularly from my perspective today because i'm the trenches these things i'm i'm sort of the crux and pivot point for all the communications up and down and across different organizations right so that's what i find is the most complicated thing right from the from the incidence response perspective everyone knows what they're doing right so everyone's got their their playbooks and people are following the procedures they're supposed to be everyone's technically sounded savvy but getting that flurry of

communications from the top down in terms of what's happening now what's happening now how where are we what are statuses and then communicating across different organizations that that we may need to be interacting with for whatever it happens to be right this network segment or this set of assets or these applications potentially that could be impacted there's a bunch of different people that need to be brought into communications right and for a global footprint um could be in the middle of the night in one place and daylight somewhere else could be the weekend somewhere and still work day in another spot so ensuring that you have those communications pathways built beforehand right do we have people for this

particular application or this particular set of infrastructure on point for a cyber incident okay hey stand them up we have something going on okay everybody hops too and we're all ready to take our you know set roles that's great uh the other thing that we try and do is cross training right so inside the sock with different incidence response responsibilities or different tool sets or different communications responsibilities hey six months doing this 12 months doing this and we're gonna roll you over to something else and then if you do end up having a calamity where it's hey this is sort of an all hands on deck i know this isn't my job today but we sure could use a hand here yeah i may

have a couple extra sets of hands that know what they're doing in another particular space that they used to operate in where they can jump in and you get some of that force augmentation so you know but preparation is is the key to all that without without running through it and testing your your capabilities when it's not actually burning down you know when when the live runs start firing it's it's it's tough at times to keep everybody on on the same page yeah yeah absolutely and uh which leads me to a question to brad you and i yesterday kind of talked about having building a diverse team and an experience you want to tell us your view of how how

to go about that how to execute how do you actually accomplish that environment where most of the time everyone is needed 24 7 in their posts yeah you know for for new analysts getting into the field i think it's really important to um to get as much experience as you can so volunteer for things you know if you if you're really passionate about it and you know um have the cycles you know build a build a system at home you know learn how to execute malware on a safely um but also you know seek out different opportunities you know you never know until you ask so um i was fortunate enough to to be able to provide some opportunities to my

team um where they could cross train with other teams um outside the sock too so you know even getting into some engineering um and then other like security related uh or operations related teams you know threat intel or forensics um for example we had a forensics analyst come and we were able to get you know his boss to agree to have him rotate through our sock for three months and he just went through all of our training as an analyst learned how to do the job even did some some ir work for us and then when he went back to the forensics team he knew exactly what we needed you know when we're directing a response operation i need certain iocs

i need certain i care about certain things in a forensics report other stuff i don't really care about so he he learned to understand that and then we were able to both function both teams were able to get more out of each other right so it's really a positive thing um you're not always going to have that that opportunity available but you know you could also do something where maybe you just go sit with another team for an hour a couple times a week for for a little bit and just understand what what do the threat intel analysts do and how does that apply to sock or what are these guys who are um guys and

gals who are writing uh detection content for for our team like what does that look like so so getting involved with other other projects and then also with other groups i think is really really important um yeah kind of broaden your perspective a little bit it creates some cross-collaboration between team and fluency of you know information transfer because we all know most teams get into their little bubble and it becomes if you don't proactively uh you know challenge that community that collaboration to the table you can have some segregated that's that's a great point i mean i think incident response one of the things i like about it is you know when really running down an

incident you have to collaborate with everybody in in departments you may be never with and if you can make some of those relationships ahead of time it will make your ir process work so much smoother you know if they at least know your name or maybe you've met in person that'd be great too but um you know because because just emailing someone out of the blue and asking them to do xyz right now like that usually doesn't work so well yeah without having previous kind of relationships right yeah right um you want to tell us how it happens uh yeah yeah sure environment yeah i mean like um i i said it yesterday and i'll say it again like

you cannot teach passion um like i i want my young analyst to be hungry i want them to you know volunteer for work i want them to do uh you know side of desk work um i want them to build you know their own home network you know spin up some vms have like a couple of unpatched vms have some patch vms and then i mean go download malware and infect those vms and then see what happens like take a snapshot look at the delta of that like why did the malware do that where's the persistent mechanism like you know did it drop any values in the registry like where like what's happening like and

then then be able to then come back into work and ask other people um you know is really important to me um i really enjoy that you know um as a part of my career i want to be able to give back um i also think that you know it's kind of like the military like crawl walk run where you know you know you you can you can learn how to do it and then you are doing it but you really are a master of it when you can teach it to someone else um you know i would i would say volunteer cross um you know asking to be engaged in different projects that are

outside of your your typical role is going to help expand you and and who knows like you might be just a quote just a sock and it's like i really dislike that but like let's say you're just a slack analyst but that doesn't mean that you might not be able to get into like ids it may not mean that you you know you could be a future pen tester you could do future vulnerability assessments you could become a network architect like there are so many career opportunities within cyber so don't just pigeonhole yourself into one opportunity i'm not gonna say go be a job hopper like like you know as a hiring manager i i

look for that type of thing but if you're doing it to expand your your roles and learn new capabilities and learn new responsibilities it's only going to make you more valuable yeah and i can see a trend here where i feel like there's you know recommendations for the analysts on what they can do but what can the leaders do to kind of promote those kind of opportunities because not all leaders are the same i know some just want you to do your job and sit there and have that and be good at what you do so what's your advice to leaders yeah i mean i i would say for leaders i mean you you want a diverse team you you want you

you don't want just the same person with the same skill set because when you find yourself in that fire fight if you all think the same then you're not going to probably you're not going to be open to oh well maybe maybe the the actor is doing this maybe they do maybe there's another tool set that we could use that we could block it or we could potentially redirect it if you don't have someone who has a security engineering background if you don't have someone um who who has who have learned routing that's that's really important and i i understand a lot of soccer and i was like well i mean i i have my sim i have my case management

and i have a couple consoles i log into and that's that's really my job it's like no that's not just your job like you you want to you want to build you want to grow those capabilities so that you become kind of that swiss army knife if you will and from a from a leadership perspective i mean you know give people the opportunity to fail right and and i i want them to come across the wrong way um you know it's okay to fail like maybe not in the middle of an incident response disaster but like but for little things like give people the opportunity to do some public speaking give like you know we we like i said

with that recent ransomware we had a a younger less experienced uh incident response associate who just kind of moved over from like our detect um role um and we put him in that role intentionally we're giving him that opportunity and and something he's never had the opportunity to do um so you know give people the opportunities to to fail and and if they fail that's okay that's how you learn um and and you know look look for those other people who you know look for other people in other uh portions of your organization be like hey i've got someone who's really smart i've got someone's really intelligent like you know help them kind of build that

relationship and build the rapport and make recommendations on other you know mentorships i'm constantly talking to to other people like well have you talked about to this person over here you talk to that person like i don't know who they are let me make the introduction for you so it has to be a proactive effort you can't just wish for a diverse team um steve uh what about uh your importance whereas how you build that diverse team and your place for analysts and leaders uh as well yeah i mean from from my perspective as a manager of many people um be generous with your your finances and your time right so um i'm i'm one of those people

who's pretty adamantly outspoken about training your people and giving them the opportunities to leave right so i tell my people all the time my my job is to get you interesting work to train you to be prepared to handle it and to get you as much money as i can afford then you will do your job you do your job well and i will do those things for you and we're all going to have a great time it's going to be beneficial for the organization it's going to be beneficial for me as a manager of your organization it's going to be beneficial for you as an individual right and what i tell them regularly is if i

can't give you the work to continue to grow your career and expand what you're doing or to find that next position within my organization or within the company i will help you find one outside right this may not be my last job it might not be my last company it probably won't be yours specifically for the people that work for me that are in their early 20s that are you know their first job maybe your second it's not being super it's trying to hold on to the assets right and it's it's it's a razor's edge because you don't want to lose good people you don't want to lose those capabilities of really high performing you know

analysts or or engineers because they're super hard to replace we all know that you know finding good people in this business is really tough so but i've found a much more responsive crowd for the people that work for me by coming at it from that perspective which is i will continue to train you and prepare you to literally take the next job that's not here but i'm also going to work super hard to find you the position in this organization to to keep growing your career here and producing for the benefit of of my team hopefully so that that's just the path that i've attempted to take awesome uh brad i think you had something to add yeah i think he hit on

some really great points you know um i really like the philosophy of you know if you find really great people you're not they're not to probably stay with you forever right like the really great ones are going to continue to rise up and go on and do great things and so you want to you want to really enable that enable them to grow um it's not like you're encouraging them out the door but you don't want to ever be stifling anyone right um because people don't want to be feel like i'm not getting enough work or my boss is you know kind of hoarding some some of the things the growth opportunities so so the idea of being really generous is

definitely important and i think um like both you know you and i were saying taking risks um with your team there's an art to it right like you have to decide you know is this particular incident um one that we can afford to let a junior analyst run for example and just keep some close oversight but not not be so overbearing that they can't really kind of be creative with it or is this one that is gonna you know there's so much risk to the business that we just can't have you know we need to bump it up to a senior person to run so um you know and the other thing i'll just add is is really learning you know we're

dealing with some really smart people you know i i usually i usually end up with more most of the people who work on my team are smarter than i am i i just try to kind of hurt the cats a little bit um but you know everybody's got a unique background a unique situation so you need to be able to allow for that allow allow some you know some people may need certain concessions other people you know some people thrive and want to want to work overtime all the time you don't want them to burn out other people you know i had um i've had other analysts that said kind of they know the pace and tempo that we can

get into and they kind of set a hard line they're like i'm out every day at three you know or whatever and you know if that works like that's fine you know you can respect that too you just gotta you gotta you know make sure that you you kind of fill the gaps with the team you have um but yeah i think i think the generosity is probably the key i think that that's a good kind of summary and uh first i want to pause uh do we have any questions from the audience i want to address as far as what we've talked about so far

um

oh this one is for you yeah well i mean that seems like like did your husband submit that because that's kind of a softball so yeah sophia uh she she she uh is on the team that runs the the the our exercise cyber exercise program at capital one so um every every quarter sometimes you know more than just once yes it started it started initially as a couple you know a few times a month because we had we had a young team um no i mean it's it's it's it's critically important to run through those processes and to give different opportunities to different people it's also you want to make sure that you actually have the confidence like you

know like let's say that we have an edr tool and um and we believe it's going to be successful and we believe that we can be able to remote into a system but unless you test it in a frequent amount of time especially with this 100 work from home that a lot of the companies have transitioned to after covid you know if you don't practice it then when something bad happens how can you have confidence that your processes and your technology and your people are all going to work um the way that you hope and the way that you plan for them to work out yeah and the communication too right and you mentioned the communicating at

all levels yeah you know the tabletop exercises i've done you know a couple different varieties of them over the years we've done some that were kind of just internal to the sock where it's very much about technical response and you know how do you manage a large scale response you know hundreds or thousands of systems affected you know that that's a lot different than than one that's affect you know two or three systems but there's also kind of the the larger organization um practice that's critically important as well um you know what what is your company's stance on ransomware are you gonna pay the ransom how do you get bitcoin like how do you you

know like like what are you going to do in that scenario is or the lawyer like and you need to get legal to sign off on that right like it's a legal decision it's not even about an incident response um you know so so it's it's it's getting all those other parties involved that that um i think is really important and it's also you know selfishly it's a great opportunity to um let the rest of the company or organization get to know the security team and it's kind of like a little bit of marketing for yourself you know so um so i think yeah you know your point at least at least a couple times a year is important and

look at different scenarios in different parts of the organization or company you know that could be affected by something that's great steve um do you want to add anything to uh yeah i sort of i couldn't i couldn't really hear the question was that the one that was typed in the text um can you repeat the question yes how often does yeah so i mean we do them we try and do them quarterly it doesn't it doesn't always land that way mostly because the we had to break them up into chunks so doing a corporate wide tabletop is pretty challenging with you know the number of moving parts that i'm dealing with particularly but um sometimes we'll break them down into

hey we're going to work with this particular critical application team and we're going to do like a small tabletop with them or we're going to do one with this set of infrastructure for this data center space or this cloud space and and to sort of try and refine how we would work if this got impacted or that got impacted we conducted an executive level one a couple months ago uh for ransomware uh and that was actually really good i think it was something that brad i touched on a little bit where um you get an opportunity to bring some faces into the mix with some of the the high level suits that may not ever

have any identity or any idea who some of these folks are that are in the trenches and grinding out you know day in and day out where you can put some of your your high level ir leads or sock leads in a position to potentially do what we were talking about in that uh conversation previously about you know advancing people's careers and giving them a better opportunity to move around in the organization or to at least get some face time so they can get some credit because i think we also know in this business that it may not necessarily be about the money sometimes you just want the pat on the back and the recognition that

you've been grinding it out and you know the assets you protected or the incidents you got in the way of uh really made a difference you know not just to the organization but you know to your team and and you know potentially you're the public reputation of of either the organization or the corporation so you know we try and do them as often as possible whether they're for more informal but you know if we could get a a formalized tabletop quarterly i'll be pretty happy with that right and i think the idea too is how quick can we respond to whatever incident we have in our hands and having all those questions kind of reviewed before

and people communicating and knowing exactly who is going to make that call and that decision i mean we see that all the time where we're at the table and nobody knows um and so practice kind of helps not only being prepared respond quickly but also build that soft culture because analysts are also more confident in their ability to respond and to investigate and to find the right thing any other questions um

great question so uh that the first the first place i go to is my personal network right like um working at a number of places um i mean i'm 42 got some some grade here i mean like a lot of gray here um but i've worked with with i've worked for a lot of talented uh people in many organizations so one of the first places i go to uh would be my personal or my personal network um or you know professional i email list where i'll be like hey you know i'm looking for this type of person here's the compensation here's the role does anyone have anyone maybe like someone who's young someone's up and coming or hey i need a leader

i need something else i mean we actually just posted a uh a senior manager role leading our fusion team within the security operations center uh directly according to me so uh anyone out there you got you know you got some experience um capper one is sponsor and they're a great company greg walter both of us can talk about that yep absolutely um obviously linkedin is is another really good place to go um and and you know word of mouth uh within this industry is critical so you know we call it i call it the kiss of death where i ask someone like ask brad like hey like james smith like how's james smelly what do you think and he's like

he's a nice guy it's like oh okay that's that's the politically correct way of saying a hard pass right but if i ask him about jane smith and he's like oh my god she's amazing she's she does ir she can do reverse engineering she's like she's she's really good with uh with you know you know using max she's so good she's awesome you need to get it right now that's the type of like response that i'm looking for when i want to hire people and because i know that like well they can work for brad they can certainly work for me like i'm not saying that you're you know you're hard to work for but i mean we both we both worked for a

pretty demanding boss and kept like yeah with kevin it was uh it was his way or the highway and so you know you you learned absolutely absolutely so uh yeah i just usually tap oz's network who works at capital one no i agree i mean personal network is definitely a great starting point um i try to leverage my team's networks as well a lot of them have good connections and um you know unfortunately like like anything you know if you know somebody a known good is is always a great place to start right um but we've had good luck with with more of the um you know just kind of going out and looking at random you know

working with a recruiter posted on the company website but um you can quickly get overwhelmed a lot of different um yeah i i i wasted so much time in interviews when i first started at sony trying to build out this team and we quickly realized that people were on their resume they'd never done and and the definition of instant response in some organizations might mean just taking an email and forwarding it to someone else versus what i was looking for was yeah someone who can do technical work so yeah so um one thing we did to kind of weed people out who weren't technical enough for the position because you don't want to have a bad match

as we started doing a technical assessment um before i would interview anyone you know i'd look at their resume and then have them do some kind of technical assessment where they provided uh something in writing back to us and and that gave you a chance to to see you know can they handle some technical work um and then what how do they communicate can they communicate the information i mean like we've talked about you know kind of a theme with incident response is communication um so it's a great gauge to to see people coming in and what i found was that most people who completed the exercise did pretty well and then a lot of people just didn't bother and

so then you know it just narrowed our narrowed our choices down awesome uh steve how do you find good talent yeah the all those things um but one of one of the other things that i've had good success with over my career as a hiring manager is tapping younger talent either coming in so if you can build a pipeline so if you can create internship programs build a pipeline where you either get good relationships with particular you know universities or training programs in your area or where you need that talent that's a great feeder system because if you can get an intern in they can they could take a couple months to prove their worth and

i mean i think it was odds and said it earlier just looking for passionate people and drive you can pick up a lot even if they're not doing really advanced work from a really young person who potentially could grow quickly into a capable you know incident responder or stock analyst um and then the other the other place that i've had success historically is to tap into other pieces of the organization that may not be cyber specific is reaching into some of the potential networking infrastructure organizations or i.t infrastructure organizations to find support people who are technically savvy but aren't necessarily cyber specific so people who can prove their technical worth and capability often train up very

quickly into the kind of work that we do you know bringing in l1 on who may not have any deep experience doing instance response or stock analyst type activity but is technically savvy and understands how systems you know communicate with each other or how internal processing on a particular system may work because they've done troubleshooting for years really good at doing incidence response activity so with a little bit of additional training to get them into exactly what you need them to be doing often it's not a bridge too far to to find an asset right inside your own walls it may not make the hiring managers on the infrastructure side all that happy when you coach their people

but ultimately you know keeping good people inside the organization that will make senior leadership happy that they're not having to go outside the source talent you can just move some pieces around and potentially that new hire coming in in it is going to be a more uh economically sound option for you know for the accounting department than trying to hire hire in a cyber operator who could be twice as expensive so just another place to look yeah a follow-up question do you guys feel that it's harder to hire internally than it is to hire externally because it would take having that person move from that position and leaving the gap there um is movement within the company

hard and and maybe steve you tell us first since you're always less gone yeah uh it depends right so some organizations i've been at it's easier than others right normally the bigger the organization is the more robust the hr talent organization inside may potentially be the less the less trouble you're gonna have right so there's a couple different boxes that you take in terms of you know employee satisfaction and you know keeping retention you know the numbers of having to go and churn out right the the expense involved with bringing new people in a lot of times maybe not for the organization directly losing that person to another organization but ultimately almost everyone else i've

found is pretty happy about let's keep a person inside right they're happy the new hiring manager is happy you know you may not get a super enthusiastic losing manager but ultimately you know the the pros outweigh the cons you know the smaller the organization is the more challenging it has been right at the startup i was at losing anybody for any capacity at any time was critical because there is no you know oftentimes they were single threaded there's no backup so wherever that person was contributing before now you have a gap until you fill the role which depending on how specific it is can take quite a bit of time so you know i think it depends mostly at

least what i've seen on the size of the company but you know more and more at least for the companies that i've that i've been associated with that tend to show more value for their people than just you know everyone's a cog in the wheel and everyone's replaceable not my favorite mentality from the hr groups it uh it seems to be pretty well received thank you steve bradley wanted to add to that sure i was just gonna say you know i've had mixed results as well i think it's from an hr perspective it seems like um they're generally more comfortable just doing external hires or pushing an internal hire through the external hiring process um one i have hired internally and i've

had you know great luck with that one thing i will just say though is as a manager you did to make sure that you've established clear kind of uh deadline or cut off for when they stop doing their old job because inevitably what happens is they come join your team and they're doing your job and their old job you know or they're training the placing them and that can last six months right so um and it makes everybody uncomfortable right so you really have to have some some kind of clearly established boundaries i think most cases yeah i would say um you know there's there's pros and cons to both internal and external right i think one of the pros of hiring

internal is the person hopefully already knows what your network looks like they know what the enterprise they know the tools um plus you could go to the their their manager their supervisor and be like hey how is this a high performer like did like what did they get on their their last two performance appraisals like like what type of role would you think this person is are you are you going to promote that person into a role or is it just a lateral and then i'd want to know the motivation like why are they looking to do this have they burned out and like well if you've already burned out of one role you could potentially be coming into the

sock and you're going to burn out again because we we've got a we've got a a uh you know uh high energy uh work that we have to do um external it's it's more of like the unknown uh entity but at the same time you're you could also be bringing in someone who has a fresh outlook yep fresh outlook fresh eyes to the to the same problem but they could they could look at it from a different way and you know i i like i like a blend of both if you could do the internal and the external and to follow up on that how do you guys prevent burnout since we're talking about burnout how do

you prevent that and then follow up in the last couple minutes with do you have any career advice for new interns or people interested in this career sure so i'll i guess i'll jump on that that first one can you repeat the first one how do you prevent the burnout yeah i mean work life balance is is really important right um um i you know i i told sophia yesterday that i had a goal of you know seven years ago that i want to become a a ciso of a fortune 500 company like that is my career aspiration that's why i went to college got my master's degree that's why i pivoted from being a

contractor becoming a civilian that's that's why i'm in the role that i'm in now because i'm hoping that it's preparing me for that the future role but what i also realized is that i have two teenagers at home and i i want them to graduate high school before i commit myself to what i see my boss right now my ciso chris betts um see he's working like 70 80 hours a week and um you know that's like to me that would probably be an unsustainable pace for a long period of time and so i i try to be very mindful of that and for our analysts um i i i want to lead by example i take

vacation and when i take vacation i turn off my phone for the most part um you know like i don't want to be the type of leader that says do as i say not as i do because i think it leads to um a poor example and if they see me that i'm on when i'm on vacation it's gonna they're gonna assume that well i need to be on on vacation as well and i don't want them to feel that way i want them to take vacation when they're in training and obviously this is pre-co but i want them to be at training be hundred percent there if you're at a security conference you're at schmuck on your blackout or defcon

your b-sides go there be there expand your network like if you're on vacation be on vacation be present with your family like disconnect it's it's very healthy and you need to disconnect and if you don't you are going to burn out okay so i'm not doing that right now this is uh this is me and my wife's 20th anniversary and we uh we're doing a staycation in dc and i snuck out over here for this so i'm not unplugging but uh um so i wanted to talk a little bit about advice for new people getting into the field i think right now is a we're there's a very unique opportunity where you don't need a

four-year degree you don't need you don't need all those certifications i've seen people spend tens or more thousands and thousands of dollars getting all these certifications a few of them are important some places really do value them some government agencies require them but you but when i was interviewing people i didn't ever look at where they went to college i didn't look at any certification i really was focused on what they could do and if they understood the job and that means i i hired a guy you know straight out of high school might have dropped out of high school um and he became one of our our highest tiered analysts just a rock star you

know so it it's really about that hunger that that you've mentioned you guys have both mentioned earlier um and there's so many free resources right now so you don't need money to get into this job you know go online and learn how to do traffic analysis you know look at pcap do malware analysis there's tons of free resources learn how to stand up an amazon cloud instance in ec2 instance you know just go learn about this stuff and you can you can jump in you know anytime you're you're interviewing for a you know an entry level when you can talk about any of those three things um you know they're they're really good their ears are going to perk up you know

so we have a good conversation uh after this one of cert versus no certs um we're uh i think the end of uh our talk steve did you want to add anything any advices to anyone wants to get into oh yeah um sure i thought you're gonna ask me about burnout in which case i was gonna say as soon as i figured out yeah yeah as soon as i figure that one out i'll i'll let you know i don't have the right answer for that one yet uh but yeah it's constantly working on that so getting getting into the field um yeah be curious tinker right so set up set up a complex network at your

house go buy a switch a managed switch off the internet for 15 and see what you can put together you know figure out vlans figure out how to infect things in a safe space in your own in your own network don't don't do that on your don't have one vlan or just your regular advantage switch or unmanage switch and start firing off malware in your network right good starts um but tinker right when i when i interview people i'm less inclined about i mean i'm certainly interested in their experience um the conversations i find to be the most valuable when i'm interviewing someone specifically for a technical role is what's your home network look like what kind of tinkering are you

doing are you doing ctfs are you engaged in the community um how are you trying to increase your your baseline of of knowledge and capability outside of the day-to-day tasking that you're currently in um you know for those of us old people getting you know farther and farther along specifically with kids and families and all that good stuff going on outside of work you know that that you know work-life balance for us is hard too right we're just managers i sit in meetings all day and read email that's all i do that's according to my my staff um there's a lot of it so my my amount of free time is also limited but i'm still

you know trying to be in the game trying to get my hands on a keyboard and do actual technical work as often as i can just to you know keep the spear sharp a little bit there um and ultimately that's that's good advice up and down the line as far as yeah you can't be limited to just what you learned during the day you gotta take things outside of uh your day and and learn and i think you mentioned that in our conversation yesterday yeah and there's a ton to learn in the space that we don't know right there's a ton of stuff that i come across all the time that yeah man i didn't i didn't know anything about that

or i've i've heard of that i need to get more educated on what that thing is and then and then do it you're never going to regret that you know increasing your your knowledge base a little bit more on something that's a little scary or unknown for you yeah absolutely another thing i just want to pitch in networking is great uh go to your local conferences besides nova besides dc charm shmu on that note i want to thank our panelists for their time today and taking away from their uh anniversary to to make it to our conference thanks to all of you um attendees if you had any questions that we weren't able to get to

feel free to connect with our speakers online uh hopefully they're still on the uh linkedin is always good yeah linkedin twitter should be good thank you everyone